The Lessons Hardest Learned

A short time ago, I was on my favorite
IRC channel when a friend of mine (we'll call him Joe) asked me to
help him install Java and Flash on his system. We had worked
through a few Linux problems before, and I was willing to
help.

Together, we got Java enabled. I then helped him get Flash
downloaded, and we began the instructions to untar and install
Flash. Right about then, someone else popped into the channel and
began to help us out as well. This new participant (let's call him
Frank) was a person I have long recognized as having far more Linux
skills than I, so his advice was welcomed.

A few commands into the session, our guru, Frank, typed out
this command: passwd -l root. This was meant, of
course, to be a joke.

Joe dutifully typed in the command and echoed back a very
chilling word in IRC, success. At the time,
Frank and I both assumed that Joe was returning the kidding, and we
thought nothing else about it.

The horror of this fiasco sank in about 20 minutes later when
we asked Joe to su so he could copy a file. He
told us that his system would not accept root's password, so Frank
led Joe through a series of commands to ascertain some information
about Joe's system. Evidently, Joe had set up his user account with
root privileges. A while later I wandered off, unable to contribute
any further to the recovery efforts.

There is a three-fold purpose to this story. For newcomers to
Linux, some cardinal rules should be elaborated upon. For the
experts of the world, a few nuggets of wisdom can be gleaned here
as well. First of all, root and user accounts should be kept
separate for a reason. Root is all powerful and is meant to be used
in certain situations only. Had Joe's user account
not been root privileged, the passwd command
would have failed and this would be just another funny story. Root
can do anything it wants to your
system, and if you aren't sure
exactly what the results of your
actions will be, then neither root nor you should be doing those
actions.

My experience has been that Windows power-users have the
hardest time overcoming the belief that their user account should
be able to do anything it wants. After all, to run Windows, you
need that kind of access, right? Please avoid the temptation to
elevate your user account's privileges. I personally learned this
the hard way. I had a root-level user account on my first install.
I had to reinstall Linux after doing a chmod -R
777 accidently while in the / directory.

The second purpose of this story is to reinforce that no
matter how well you know someone, no matter how much you trust your
resource--whatever or whomever that may be--never simply do as your
told. Take the opportunity to learn more about Linux by checking
the man pages on the commands you are given. Make doubly sure to
research each of the options in that command. I'm sure Joe would
have questioned Frank more closely after a quick passwd
--help. Often, command --help displays
a summary of the command and its options, and issuing the command
man command typically yields even more
information.

Finally, never make the mistake of assuming that the person
you are helping has a certain level of knowledge. Frank was
innocently playing around and inadvertently caused harm to Joe's
system. I, too, assumed that Joe knew better. I was equally
culpable (and if you read this, Joe, I am very
sorry about this), in that I didn't call attention to the joke.
True, Joe had been using Linux for some time now, but Frank and I
should not have been messing around like that. We were there to
help and, instead, had the opposite effect.

Always take the time to explain what the commands you are
giving out should do. Similarly, encourage the new Linux user to
check the man pages and make sure they know what the expected
output should be. Always strive to help; after all, we're a
community.

Now that I've finished relating this tale, I'm going to go
off and find out what happened to Joe's system. And
apologize.

Epilogue: Frank called Joe on the telephone and helped Joe
manually edit the root password back to what it was. System
saved!

As someone who has been both an newbie and an expert, the idea that people helping me would be making side jokes that look like assistance is deeply disturbing.

If you consent to help someone, even on a casual basis like this, you are ethically bound to be honest, accurate, and helpful. If you are dishonest about your level of knowledge, or the seriouslness of their problem, you're not helping, though they may think you are. If your advice is inaccurate (as in the joke above), they may be harmed through your misspeaking. If you are not helpful (as in the joke above), again you are wasting their time and patience, and would be better off encouraging them to ask someone else.

Remember that offering to help creates a trust relationship. Take that trust seriously, it is given in all seriousness.

This is why when you want to play a joke on newbies, make sure it is non-destructive.

$cat /dev/urandom > /dev/dsp

Or, if you are a newbie to linux hang out in irc channels where you know there are (or might be) ops that keep people in line if they start sugguesting dangrous commands. #linuxhelp on irc.openprojects.net is like that, there are always people there to kick the jerks out. There are even helpfull people there too. ;)

By there very nature, new linux users don't know the power of some commands. They don't even know how to check what things do yet. I just wish there was a really good GUI man frontend that sat on these new desktop distros; that asked new users to take a look around at what they can do.

$man /sbin/* /bin/*

Qubes

Note: even with a deleted root password, everything was not lost. Linux allows you to boot into "single" user mode and fix things up. It's just more trouble then most newbies want to deal with.

WOW! You've got some very, very large balls for telling this story. I'm sure you expected to get some grief for telling it too, but I'm glad you did. It needed to be told.

I've spent a large part of the last ten years performing various support roles, from DOS to Windoze to vertical software markets, and across several states. The one universal joke is "ok sir/maam, now type - format space c:". Of course, in all that time, no one I've ever heard of has actually told a customer to do this.

Some pople are making comments that software shouldn't allow you to hurt yourself and such...

What a load of *****! If you're going to help someone, you don't help them to hurt themself.

If your helping someone, you have to assume a lower knowledge level. Why else are they seeking your help?

The lesson to learn here is that software should not let users do things quite this silly. The passwd command should not let you lock the root account - it makes no sense to have the root account unloggable into, but accessible only to someone logged in as root.

The passwd command should not let you lock the root account - it makes no sense to have the root account unloggable into, but accessible only to someone logged in as root.

Sure it makes sense. This guy had a root-level account already - why would you need the actual official 'root' in addition to that?
Or what if you only want to get in via ssh from a trusted host / trusted account? Then you don't need a password on the account. It might be a stretch, but someone could want that for root. Point being, tools shouldn't have arbitrary restrictions.

Amen. As a professional sysadmin, I am accustomed to working with a ``locked'' root account. I'll explain:

The authorized syadmins here are given sudo command access to root privilege. Its logging of root privileged actions is important when figuring out what has changed on a system to explain new unwanted behavior it might exhibit.

The root account is not completely locked: our (competent) manager gave us an encrypted password string, and we installed that string in all the system /etc/shadow files (using sudo). So we don't know the root password. Now, if a system were to crash and be unable to fsck a filesystem, for instance, and demand the root password to boot, we can still recover it by retrieving it from a sealed envelope kept by the secretary,after which the root password gets changed again. Or boot from an install CD. Or from the network. Given those last two options, it would also be reasonable to operate with the root account locked completely, but the point is: tools should do what they are told; policy comes from people.

Or would you have rm -r refuse to operate in the root directory? In /etc? In /usr? In /home? In $HOME? Where would it stop?

Now, I'll wager that it's because the guru assumed that the username did not have root-privileges and assumed that the SUCCESS message was also a joke. (Since any non-root username should return an error, right?)

So, as far as he knows, the joke passed and was forgotten. A few minutes later, the 'su' command comes doesn't work.

Collective ?huh? from everybody involved.

So, the guru tries to figure out what happened. He's now realized that he now can't assume anything about the user or his sytem, so he asks if the user knew about the joke.

Guru: When I told you to type 'passwd -l root' were there any errors? (Not wanting to alarm the poor newbie prematurely)

Use a floppy distro like Tom's Root Boot and then mount your root drive and manually edit the /etc/shadow file to remove the root password (leaves it blank so you can give it a password again). If you are unsure about where the password is locayed there are man pages and several good tutorials on the net. I also have a copy of this floopy with me all the time - you never know when you'll need it (even to fix windows problems!).

Ummmm ... I can see why and how this happened, but one question nags at me; what was so funny about telling him to lock his root account in the first place? As a joke, irrespective of its unintended destructive consequences, I just don't see how it's humourous.

It's like telling a Windows newbie to erase a bunch of system files and then reboot. Sure, he should know better than to fall for it, but I'm not sure why it's so hilarious to begin with.

Trending Topics

Upcoming Webinar

Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report

August 27, 2015
12:00 PM CDT

DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.